Analysis of Key-Exchange Protocols and Their Use for Building Secure Channels

  • Ran Canetti
  • Hugo Krawczyk
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 2045)


We present a formalism for the analysis of key-exchange protocols that combines previous definitional approaches and results in a definition of security that enjoys some important analytical benefits: (i) any key-exchange protocol that satisfies the security definition can be composed with symmetric encryption and authentication functions to provide provably secure communication channels (as defined here); and (ii) the definition allows for simple modular proofs of security: one can design and prove security of key-exchange protocols in an idealized model where the communication links are perfectly authenticated, and then translate them using general tools to obtain security in the realistic setting of adversary-controlled links.

We exemplify the usability of our results by applying them to obtain the proof of two classes of key-exchange protocols, Diffie-Hellman and key-transport, authenticated via symmetric or asymmetric techniques.


Local Output Secret Information Secure Channel Perfect Forward Secrecy Corrupted Party 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    D. Beaver, “Secure Multi-party Protocols and Zero-Knowledge Proof Systems Tolerating a Faulty Minority”, J. Cryptology (1991) 4: 75–122.zbMATHCrossRefGoogle Scholar
  2. 2.
    M. Bellare, R. Canetti and H. Krawczyk, “A modular approach to the design and analysis of authentication and key-exchange protocols”, 30th STOC, 1998.Google Scholar
  3. 3.
    M. Bellare, A. Desai, D. Pointcheval, and P. Rogaway, “Relations Among Notions of Security for Public-Key Encryption Schemes”, Advances in Cryptology-CRYPTO'98 Proceedings, Lecture Notes in Computer Science Vol. 1462, H. Krawczyk, ed., Springer-Verlag, 1998, pp. 26–45.Google Scholar
  4. 4.
    M. Bellare, E. Petrank, C. Rackoff and P. Rogaway, “Authenticated key exchange in the public key model,” manuscript 1995-96.Google Scholar
  5. 5.
    M. Bellare and P. Rogaway, “Entity authentication and key distribution”, Advances in Cryptology,-CRYPTO'93, Lecture Notes in Computer Science Vol. 773, D. Stinson ed, Springer-Verlag, 1994, pp. 232–249.CrossRefGoogle Scholar
  6. 6.
    M. Bellare and P. Rogaway, “Provably secure session key distribution-the three party case,” Annual Symposium on the Theory of Computing (STOC), 1995.Google Scholar
  7. 7.
    R. Bird, I. Gopal, A. Herzberg, P. Janson, S. Kutten, R. Molva and M. Yung, “Systematic design of two-party authentication protocols,” IEEE Journal on Selected Areas in Communications (special issue on Secure Communications), 11(5):679–693, June 1993. (Preliminary version: Crypto'91.)Google Scholar
  8. 8.
    S. Blake-Wilson, D. Johnson and A. Menezes, “Key exchange protocols and their security analysis,” Proceedings of the sixth IMA International Conference on Cryptography and Coding, 1997.Google Scholar
  9. 9.
    S. Blake-Wilson and A. Menezes, “Entity authentication and key transport protocols employing asymmetric techniques”, Security Protocols Workshop, 1997.Google Scholar
  10. 10.
    M. Burrows, M. Abadi and R. Needham, “A logic for authentication,” DEC Systems Research Center Technical Report 39, February 1990. Earlier versions in Proceedings of the Second Conference on Theoretical Aspects of Reasoning about Knowledge, 1988, and Proceedings of the Twelfth ACM Symposium on Operating Systems Principles, 1989.Google Scholar
  11. 11.
    R. Canetti, “Security and Composition of Multiparty Cryptographic Protocols”, Journal of Cryptology, Vol. 13, No. 1, 2000.Google Scholar
  12. 12.
    R. Canetti, “A unified framework for analyzing security of Protocols”, manuscript, 2000. Available at
  13. 13.
    R. Canetti and H. Krawczyk, “Analysis of Key-Exchange Protocols and Their Use for Building Secure Channels (Full Version)”,
  14. 14.
    R. Canetti and H. Krawczyk, “Proving secure composition of key-exchange protocols with any application”, in preparation.Google Scholar
  15. 15.
    W. Diffie and M. Hellman, “New directions in cryptography,” IEEE Trans. Info. Theory IT-22, November 1976, pp. 644–654.CrossRefMathSciNetGoogle Scholar
  16. 16.
    W. Diffie, P. van Oorschot and M. Wiener, “Authentication and authenticated key exchanges”, Designs, Codes and Cryptography, 2, 1992, pp. 107–125.CrossRefGoogle Scholar
  17. 17.
    O. Goldreich, “Foundations of Cryptography (Fragments of a book)”, Weizmann Inst. of Science, 1995. (Available at
  18. 18.
    O. Goldreich, S. Goldwasser and S. Micali, “How to construct random functions,” Journal of the ACM, Vol. 33, No. 4, 210–217, (1986).CrossRefMathSciNetGoogle Scholar
  19. 19.
    S. Goldwasser, and L. Levin, “Fair Computation of General Functions in Presence of Immoral Majority”, CRYPTO '90, LNCS 537, Springer-Verlag, 1990.Google Scholar
  20. 20.
    S. Goldwasser and S. Micali, Probabilistic encryption, JCSS, Vol. 28, No 2, April 1984, pp. 270–299.zbMATHMathSciNetGoogle Scholar
  21. 21.
    S. Goldwasser, S. Micali and C. Rackoff, “The Knowledge Complexity of Interactive Proof Systems”, SIAM Journal on Comput., Vol. 18, No. 1, 1989, pp. 186–208.zbMATHCrossRefMathSciNetGoogle Scholar
  22. 22.
    C.G. Günther, “An identity-based key-exchange protocol”, Advances in Cryptology-EUROCRYPT'89, Lecture Notes in Computer Science Vol. 434, Springer-Verlag, 1990, pp. 29–37.Google Scholar
  23. 23.
    D. Harkins and D. Carrel, ed., “The Internet Key Exchange (IKE)”, RFC 2409, November 1998.Google Scholar
  24. 24.
    ISO/IEC IS 9798-3, “Entity authentication mechanisms — Part 3: Entity authentication using asymmetric techniques”, 1993.Google Scholar
  25. 25.
    H. Krawczyk, “The order of encryption and authentication for protecting communications (Or: how secure is SSL?)”, manuscript.Google Scholar
  26. 26.
    H. Krawczyk, “SKEME: A Versatile Secure Key Exchange Mechanism for Internet,”, Proceedings of the 1996 Internet Society Symposium on Network and Distributed System Security, Feb. 1996, pp. 114–127.Google Scholar
  27. 27.
    P. Lincoln, J. Mitchell, M. Mitchell, A. Schedrov, “A Probabilistic Poly-time Framework for Protocol Analysis”, 5th ACMConf. on Computer and System Security, 1998.Google Scholar
  28. 28.
    A. Menezes, P. Van Oorschot and S. Vanstone, “Handbook of Applied Cryptography,” CRC Press, 1996.Google Scholar
  29. 29.
    S. Micali and P. Rogaway, “Secure Computation”, unpublished manuscript, 1992. Preliminary version in CRYPTO 91.Google Scholar
  30. 30.
    R. Needham and M. Schroeder, “Using encryption for authentication in large networks of computers,” Communications of the ACM, Vol. 21, No. 12, December 1978, pp. 993–999.zbMATHCrossRefGoogle Scholar
  31. 31.
    B. Pfitzmann, M. Schunter and M. Waidner, “Secure Reactive Systems”, IBM Research Report RZ 3206 (#93252), IBM Research, Zurich, May 2000.Google Scholar
  32. 32.
    B. Pfitzmann and M. Waidner, “A General Framework for Formal Notions of’ secure’ System”, Hildesheimer Informatik-Berichte 11/94 Institut für Informatik, Universität Hildesheim, April 1994.Google Scholar
  33. 33.
    B. Pfitzmann and M. Waidner, “A model for asynchronous reactive systems and its application to secure message transmission”, IBM Research Report RZ 3304 (#93350), IBM Research, Zurich, December 2000.Google Scholar
  34. 34.
    V. Shoup, “On Formal Models for Secure Key Exchange”, Theory of Cryptography Library, 1999. Available at:

Copyright information

© Springer-Verlag Berlin Heidelberg 2001

Authors and Affiliations

  • Ran Canetti
    • 1
  • Hugo Krawczyk
    • 2
  1. 1.IBM T.J. Watson Research CenterYorktown Heights
  2. 2.EE DepartmentTechnionHaifaIsrael

Personalised recommendations